Attachment: Calendar invite from recently registered domain
Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations.
Sublime rule (View on GitHub)
1name: "Attachment: Calendar invite from recently registered domain"
2description: "Detects calendar invites (.ics files) from organizers using domains registered within the last 90 days, which may indicate suspicious or malicious calendar invitations."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) > 0
8 and all(attachments, .content_type in ("text/calendar", "application/ics"))
9 and any(attachments,
10 any(file.explode(.),
11 any(.scan.ics.calendars,
12 any(.components,
13 any(.organizers,
14 network.whois(.mailbox.email.domain).days_old < 90
15 )
16 )
17 )
18 )
19 )
20tags:
21 - "Attack surface reduction"
22attack_types:
23 - "Callback Phishing"
24tactics_and_techniques:
25 - "Evasion"
26 - "ICS Phishing"
27 - "Social engineering"
28detection_methods:
29 - "File analysis"
30 - "Whois"
31id: "d801521c-4678-5afa-8f93-d7162ef7a1d3"
Related rules
- Non-RFC compliant calendar files from unsolicited sender
- Attachment: File execution via Javascript
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Service abuse: Facebook business with action required subject
- Attachment: ICS file with links to newly registered domains